1. Technical Field
This disclosure relates generally to securing data on mobile devices using cryptographic techniques and, in particular, to pooling entropy to facilitate device-based generation of true random numbers that can be used in cryptographic operations.
2. Background of the Related Art
Random numbers are used in many aspects of modern computer systems. In particular, random numbers are often used in generating appropriate security parameters in a computer system. Computer systems, however, often have a difficult time generating high quality random numbers, i.e., sequences of numbers that are close to being truly random. There are many algorithms that appear to generate random numbers but they typically generate the same sequence of numbers, thus suffering from predictability. Some computer systems attempt to add entropy to a mechanism that generates random numbers as a way to generate differing sequences of random numbers. Entropy refers to a measure of the uncertainty associated with a random number. There are not many good sources of entropy on most computer systems. Some computer systems, for example, rely on the seemingly random behavior of a human typing on a keyboard or moving a mouse pointer to introduce entropy. Other known techniques for adding entropy involve the use of time intervals between interrupts, or the occurrence of network errors, although these are not very useful due to the regularity of these intervals or the ability of outside forces to manipulate these intervals. Moreover, computer systems that have limited user input have difficulty adding entropy to the system to improve the quality of random number generation. For example, embedded systems or highly parallel computer systems may need high-quality random numbers, but they may lack the user input as a source of entropy to improve the quality of random number generation.
Mobile devices, including tablets and smart phones, are commonplace and increasingly being used over networks and the wider Internet. These devices are being used frequently to transfer secure data such as passwords, personal details, credit card transactions, voice-over-IP calls, and the like. As a consequence, there is an increasing need to make such mobile devices more secure. While these devices often have sufficient hardware to perform cryptographic functions (including encryption and decryption), many cryptographic functions require for support a random number generator. Although many of these devices use a pseudo random number generator for many cryptographic functions, a true random number generator (TRNG) is preferred when available. A TRNG is useful for generating various cryptographic materials, such as keys, nonces, one-time pads, and salts. Currently, however, mobile devices do not provide hardware-based TRNGs that software can call readily, especially at high throughput.
The sources of high throughput entropy on mobile devices are not always available to produce TRNGs. The common entropy sources on mobile devices typically include the following: batteries, microphones, cameras, wireless signals, touch screens, accelerometers, magnetometers, and the like. It is well-known to use such sources for entropy and thus true random number generation. One problem with this approach is that these sources are only available for short time periods and/or are not always capable of producing entropy in certain situations. In particular, the device operating system often turns off this hardware when not in use (to conserve battery). Turning on microphones, cameras, wireless interfaces, and the like, draws significant power that can have significant adverse effects on the device's battery life. Without the use of such devices as entropy sources, TRNGs can be difficult and time-consuming to generate. Applications having a need to produce TRNGs thus struggle to find a reliable entropy source that is high throughput and readily available without relying on the operating system to switch on and use a hardware device to capture entropy. Moreover, the demand for high throughput entropy (to create TRNGs) will only be increasing as mobile devices become more essential in environments, especially those that require secure communications (such as VoIP, VPN, and the like). These operations require a very high entropy throughput to create the TRNGs required for such computationally-intensive secure communication. Indeed, currently the entropy required for these types of operating scenarios is simply not available on today's mobile devices.
With the significance and high importance of security even when entropy is made available by hardware, the complexity of an application gaining access to the hardware and given entropy can deter the application from following security and cryptography best practices.
There remains a need to provide mobile devices with an improved way to provide adequate sources of entropy to enable the system to produce with high throughput TRNGs that are needed to support cryptographic operations.